MAG Insights

Announcements from the MAG & Featured Articles

Evolution in Payments: EMV is Not the Only Three Letter Word in This Story (MAG Quarterly- Volume Five, Issue Three)

By Laura Townsend, SVP, Operations, Merchant Advisory Group

September 7, 2017

The financial investments retailers have made to deploy EMV in the U.S. have been recognized as quite significant. This coupled with unexpected fraud losses and unexpected transaction declines, EMV and all the three letter words that come with it have negatively impacted merchant businesses and their ability to best serve their customers.

EMVCo published that 18.6% of U.S. card present transactions were chip on chip as of year-end 2016. While over 675 million chip cards (52.2%) were issued and 1.7 million point of sale terminals had enabled chip transactions as of December 2016, the 18.6% penetration suggests we have a bit of a journey to reach the approximate 90% penetration that other countries have been able to achieve.

The U.S. migration has been – and suspect will continue to be – a painful journey. Let’s recall a few of the challenges experienced to date that have plagued its success.

1. ECL

Many of our early EMV adoption members reported experiences of significant fraud losses in the early stages of their 2016 deployment which some continued to experience through the first half of 2017. It appears a substantial portion of these fraud losses are related to an issue referred to as the Empty Candidate List (ECL -- a.k.a. “missing candidate” or “invalid AID”).

The short version is that EMV enabled merchants were subject to counterfeit fraud chargebacks for chip on chip transactions in the range of thousands to millions of dollars each. How could that be? MAG learned that EMV specifications provided to merchants by merchant acquirers certified by the global card brands had an error in the code causing transactions to be incorrectly identified to the issuing bank as one that occurred on a non-EMV compliant terminal.

When questioned, MasterCard contends that it was within the issuers’ rights in accordance with MasterCard rules to seek recovery for these transactions. Essentially, the global brands through their rules forced merchants to deploy EMV or risk significant shift in counterfeit fraud losses. MasterCard specifically enabled rules for its issuers to pass on those very losses to the merchant blaming the issue on a flaw in the “interpretation” of the code for which it along with all the global networks certified for merchant deployment. Unfortunately, MasterCard has failed to respond to MAG’s request to consider some level of restitution for merchants that have incurred this unfair and unreasonable financial burden.

It is clear that merchants who successfully deployed an EMV specification as designed and certified by any global payment network should not be absorbing financial losses for counterfeit fraud. Limiting counterfeit fraud losses as a result of the liability shift is the ONLY compelling reason for some merchants to implement EMV. Merchants have not necessarily seen a net reduction in overall fraud losses and chargebacks when comparing pre/post EMV migration. I can’t imagine how corporate leaders responsible for payments at public companies deal with their Executives and Boards of Directors asking why a program is being deployed that (a) doesn’t increase sales, (b) negatively impacts profitability and (c) negatively impacts the customer experience. There are so many better ways to spend investment dollars.

2. SAF & ATC

Recently a MAG sponsor raised an emerging issue regarding SAF (store and forward) declines on EMV transactions and tokenized mobile wallet transactions. Many merchants SAF transactions to accommodate the customer experience. For example, to enable speed of checkout during periods of intermittent connectivity, merchants will store the transaction and forward it once connectivity resumes.

Unfortunately, MAG was able to validate through many of our leading merchant members that have deployed EMV, these SAF declines are a real issue. It is true that the merchant does assume the risk of a SAF transaction being declined by the issuer for reasons such as insufficient funds, credit limit exceeded, fraud, etc. However, merchants did NOT expect to receive such a decline due to a sequencing issue related to the Application Transaction Counter (ATC). In the end, SAF declines usually result in the customer receiving free merchandise since the merchant is unable to receive reimbursement of funds associated with that sale from the issuer.

How is this an issue specific to EMV? When a merchant stores and forwards EMV chip or tokenized mobile wallet transactions, the Application Transaction Counter (ATC) that provides a sequential reference to each transaction becomes be out of sync and Issuers decline the transaction. An ATC does not come into play with magnetic strip transactions. The ATC is a sequence number that is tracked like a counter on each EMV chip card/mobile wallet transaction. Issuers use the ATC number as a fraud detection tool and an out of sequence can indicate a potentially fraudulent transaction. For example, in a SAF scenario the issuer sees transactions 1, 2, 4, 5 followed by a 3. The transaction with the 3 (which was stored and forwarded once available) is declined by the issuer since it is expecting a 6.

Because of this issue, some merchants have stopped processing SAF transactions since they assume all financial risk. Ultimately, in this scenario the customer experience is negatively impacted. Apparently, a future systemic fix is coming but until then either merchants take risk of loss or the customer has a negative experience when the transaction is declined. Nobody wins here. It seems reasonable that proper planning for EMV in the U.S. would have enabled issuer fraud systems to accommodate SAF transactions without declines, but this is but one of many instances in which the global payment networks’ hurried conversion to EMV fell short. If you think about it, the issuer is aware of a potential SAF since they approved a 4 without seeing a 3 in the sequence. Since the transaction sequence scenario above jumped from 2 to 4, couldn’t they reconcile when the 3 shows up subsequently?

3. CD-CVM

In the world of NFC mobile payment transactions at the point of sale in retail, there is a cardholder verification method (CVM) that has been named Consumer Device CVM (CD-CVM). Another name for the same is On Device CVM (OD-CVM).

CDCVM enables the use of biometrics via the mobile device (ie. fingerprint) as an eligible cardholder verification method. Unfortunately, the EMV specification does not enable CDCVM for the Common AID. Therefore, if the Common AID is selected by the payment terminal, the biometric CDCVM is not evident in the transaction and, instead, the issuer will see the transaction as having no cardholder verification since a PIN is not present. Why does this matter, really? First, as a result of the approach taken in the U.S. limiting the Common AID from these more advanced CVM methods, the issuer is not able to make a better authentication decision using a superior CVM. Second, the issuer has a higher likelihood of declining the transaction with no CVM which is a poor customer experience.

On a separate but related note, the issuers perform an ID & V (Identification & Verification) process to ensure card credentials are legitimate as they are input by consumers into 3rd party wallets that use this more advanced biometric CVM (e.g. the “Pays”). Yet the merchant assumes all risk of counterfeit fraud on Visa in-app or on-line “Pays” transactions even though the same ID & V process is used for card present face to face “Pays” transactions which come with zero merchant liability. At least MasterCard recognizes the merchant should not bear the risk of counterfeit fraud when the same ID & V process is used by the issuer for by a 3rd party wallet leveraging CDCVM just because the consumer uses the wallet in a different channel.

Bottom line…the financial investments retailers have made to deploy EMV have been recognized as quite significant. This coupled with the liability shift, unexpected fraud losses, and unexpected transaction declines as described above, EMV in the U.S. (and all the three letter words that come with it) have negatively impacted merchant businesses and their ability to best serve their customers.

On behalf of its members, the MAG asks the global networks to quickly address these and other outstanding gaps with EMV and acknowledge that implementations without reasonable timelines put unnecessary burden and financial distress on the merchant community, a stakeholder critical to the ecosystem. It would be at least a decent gesture for the networks to extend the end date for chargeback relief to enable more progress on merchant EMV migration.

Finally, it would be an oversight not to again raise MAG’s concern over the continued use of proprietary specifications versus open standards such as EMV and tokenization which are owned and directed by the global payment networks within a closed environment. See my past article on Groundhog’s Day. Although there are benefits to EMV, the use of proprietary specifications does not enable the level of market competition necessary to foster the development and growth of innovative product solutions required to drive fraud out of the system. A continued lack of equitable merchant input into organizations like EMVCo will continue to result in technology challenges and a less efficient system overall.